redline | 3c9481224a7c8ba107be9850b1cb62159867a780c1afcf75bb4a47bdbf042bc2 | Triage

Sharing

General

Target

C4Loader.exe
Size

126KB
Sample

221107-v78vbsabc3
MD5

fe189d6f17ac70da642777a955b699cc
SHA1

6dd9ab32e1bcc97bacee5d55498d78478e28a489
SHA256

3c9481224a7c8ba107be9850b1cb62159867a780c1afcf75bb4a47bdbf042bc2
SHA512

20379862c6253ade42ba5d5cc6fe6c40d4a15d85fe48514670381199a5aaf5c705a640e0749f4c00f38b58b909b33a02ccca338bc81a7b080e078b6bb8a2cb9f
SSDEEP

3072:vbQwc8GhRcGlcxE7Gi5NPf5uE5E6fRyF3HfPbGmX2w3KyPzapXc:vbJsFl26f5s6f+G63KyPz+Xc

Score

10^/10

redline 1 evasion infostealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Targets

- Target
  
  C4Loader.exe
- Size
  
  126KB
- MD5
  
  fe189d6f17ac70da642777a955b699cc
- SHA1
  
  6dd9ab32e1bcc97bacee5d55498d78478e28a489
- SHA256
  
  3c9481224a7c8ba107be9850b1cb62159867a780c1afcf75bb4a47bdbf042bc2
- SHA512
  
  20379862c6253ade42ba5d5cc6fe6c40d4a15d85fe48514670381199a5aaf5c705a640e0749f4c00f38b58b909b33a02ccca338bc81a7b080e078b6bb8a2cb9f
- SSDEEP
  
  3072:vbQwc8GhRcGlcxE7Gi5NPf5uE5E6fRyF3HfPbGmX2w3KyPzapXc:vbJsFl26f5s6f+G63KyPz+Xc
Score

10^/10

redline 1 evasion infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Stops running service(s)
  evasion
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Impair Defenses

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

redline1evasioninfostealer